Active Directory: Questions and Answers

What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS services in Windows 2003?

Windows 2003 Active Directory introduced a number of new security features, as well as convenience features such as the ability to rename a domain controller and even an entire domain – see Microsoft's website for more details.

Windows Server 2003 also introduced numerous changes to the default settings that can be affected by Group Policy – you can see a detailed list of each available setting and which OS is required to support it by downloading the Group Policy Settings Reference.

ADS stands for Automated Deployment Services, and is used to quickly roll out identically-configured servers in large-scale enterprise environments. You can get more information from the ADS homepage.

The benefits of AD over NT4 directory services

Active Directory marked a shift in the way that Microsoft manages directory services, moving from the flat and fairly restrictive namespaces used by NT4 domains and moving to an actual hierarchical directory structure. There's a sample chapter from the Windows 2000 technical reference available here that will give you a good introduction into the major differences between the NT4 and Active Directory directory services.

I want to setup a DNS server and Active Directory domain. What do I do first? If I install the DNS service first and name the zone '' can I name the AD domain '' too?

Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.

What is the best way to migrate Exchange 2000 mailboxes to Exchange 2003?

The nice folks at have put together a pretty detailed tutorial on how to migrate from Exchange 2000 to Exchange 2003 on new hardware. The MSExchange site also hosts online forums that are frequented by Exchange MVPs who can help you with any specific errors that you run into along the way.

How do I design two Active Directory domains in a client network?

For Windows Server 2003, your best bet is going to be the Deployment Kit. The section on "Deploying Network Services" will assist you in designing and installing your DNS servers, and the section on "Designing and Deploying Directory and Security Services" will assist you with deploying Active Directory and configuring trust relationships.

What is difference between ADS and domain controller?

ADS is the Automated Deployment Service, which is used to quickly image, deploy, and administer servers and domain controllers on a large scale. You can find more information at the ADS Technology Center.

How can I modify the path of all my users' home directory within Active Directory using a vbs logon script?

Check out the source code from Robbie Allen's "Active Directory Cookbook". Recipe 6.4 shows you how to modify a property value for multiple users. Essentially, you select a container such as an OU or a domain and then use a FOR loop to loop through each user object in that container.

How do I determine if user accounts have local administrative access?

You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.

Why am I having trouble printing with XP domain users?

In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients' wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie.

I am upgrading from NT to 2003. The only things that are NT are the PDC and BDCs; everything else is 2000 or 2003 member servers. My question is, when I upgrade my NT domain controllers to 2003, will I need to do anything else to my Windows 2000/2003 member servers that were in the NT domain?

Your existing member servers, regardless of operating system, will simply become member servers in your upgraded AD domain. If you will be using Organizational Units and Group Policy (and I hope you are), you'll probably want to move them to a specific OU for administration and policy application, since they'll be in the default "Computers" container immediately following the upgrade.

How do I use Registry keys to remove a user from a group?

In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.

Why are my NT4 clients failing to connect to the Windows 2000 domain?

Since NT4 relies on NetBIOS for name resolution, verify that your WINS server (you do have a WINS server running, yes?) contains the records that you expect for the 2000 domain controller, and that your clients have the correct address configured for the WINS server.

